Vous voulez voir cette page en français ? Cliquez ici.


or
Sign in to turn on 1-Click ordering.
More Buying Choices
Have one to sell? Sell yours here
Tell the Publisher!
I'd like to read this book on Kindle

Don't have a Kindle? Get your Kindle here, or download a FREE Kindle Reading App.

Intrusion Signatures and Analysis [Paperback]

Matt Fearnow , Stephen Northcutt , Karen Frederick , Mark Cooper
4.2 out of 5 stars  See all reviews (8 customer reviews)
List Price: CDN$ 41.99
Price: CDN$ 26.45 & FREE Shipping. Details
You Save: CDN$ 15.54 (37%)
o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o
Usually ships within 1 to 2 months.
Ships from and sold by Amazon.ca. Gift-wrap available.
Save Up to 90% on Textbooks
Hit the books in Amazon.ca's Textbook Store and save up to 90% on used textbooks and 35% on new textbooks. Learn more.
Join Amazon Student in Canada


Book Description

Jan. 19 2001 0735710635 978-0735710634 1

Intrusion Signatures and Analysis opens with an introduction into the format of some of the more common sensors and then begins a tutorial into the unique format of the signatures and analyses used in the book. After a challenging four-chapter review, the reader finds page after page of signatures, in order by categories. Then the content digs right into reaction and responses covering how sometimes what you see isn¿t always what is happening. The book also covers how analysts can spend time chasing after false positives. Also included is a section on how attacks have shut down the networks and web sites of Yahoo, and E-bay and what those attacks looked like. Readers will also find review questions with answers throughout the book, to be sure they comprehend the traces and material that has been covered.


Product Details


Product Description

From Amazon

Stephen Northcutt and coauthors note in the superb Network Intrusion Detection that there's really no such thing as an attack that's never been seen before. The book documents scores of attacks on systems of all kinds, showing exactly what security administrators should look for in their logs and commenting upon attackers' every significant command. This is largely a taxonomy of hacker strategies and the tools used to implement them. As such, it's an essential tool for people who want to take a scientific, targeted approach to defending information systems. It's also a great resource for security experts who want to earn their Certified Intrusion Analyst ratings from the Global Incident Analysis Centre (GIAC)--it's organised, in part, around that objective.

The book typically introduces an attack strategy with a real-life trace--usually attributed to a real administrator--from TCPdump, Snort or some sort of firewall (the trace's source is always indicated). The trace indicates what is happening (i.e. what weakness the attacker is trying to exploit) and the severity of the attack (using a standard metric that takes into account the value of the target, the attack's potential to do damage, and the defences arrayed against the attack). The attack documentation concludes with recommendations on how defences could have been made stronger. These pages are great opportunities to learn how to read traces and take steps to strengthen your systems' defences.

The book admirably argues that security administrators should take some responsibility for the greater good of the Internet by, for example, using egress filtering to prevent people inside your networks from spoofing their source address (thus defending other networks from your own users' malice). The authors (and the community of white-hat security specialists that they represent) have done and continue to do a valuable service to all Internet users. Supplement this book with Northcutt's excellent Network Intrusion Detection, which takes a more general approach to log analysis, less focused on specific attack signatures. --David Wall

Topics covered:

  • external attacks on networks and hosts, as they appear to administrators and detection systems monitoring log files
  • how to read log files generally
  • how to report attacks and interact with the global community of good-guy security specialists
  • the most commonplace critical security weaknesses
  • traces that document reconnaissance probes
  • denial-of-service attacks
  • trojans
  • overflow attacks
  • ther black-hat strategies

From the Back Cover

Intrusion Signatures and Analysis opens with an introduction into the format of some of the more common sensors and then begins a tutorial into the unique format of the signatures and analyses used in the book. After a challenging four-chapter review, the reader finds page after page of signatures, in order by categories. Then the content digs right into reaction and responses covering how sometimes what you see isn¿t always what is happening. The book also covers how analysts can spend time chasing after false positives. Also included is a section on how attacks have shut down the networks and web sites of Yahoo, and E-bay and what those attacks looked like. Readers will also find review questions with answers throughout the book, to be sure they comprehend the traces and material that has been covered.


Inside This Book (Learn More)
First Sentence
DID YOU EVER WATCH THE OLD cowboy-and-Indian movies on Saturday afternoon television when you were growing up? Read the first page
Explore More
Concordance
Browse Sample Pages
Front Cover | Copyright | Table of Contents | Excerpt | Index | Back Cover
Search inside this book:

Sell a Digital Version of This Book in the Kindle Store

If you are a publisher or author and hold the digital rights to a book, you can sell a digital version of it in our Kindle Store. Learn more

Customer Reviews

4.2 out of 5 stars
4.2 out of 5 stars
Most helpful customer reviews
5.0 out of 5 stars When a good book is worth a thousand experiences! Feb. 23 2002
Format:Paperback
This is the best book about Intrusion Signatures published yet.
I teach computer security at a local university, and with the only help of this book, I could take care of all the practical aspects of my last course. If you have already a good background on this field, and read and understand thoroughly the book, then you can afford any related security certification test.
Chapters 3 through 17, present several well documented cases, which, in turn, are discussed following the same standard:
- Presentation
- Source of Trace
- Detect Generated by
- Probability the Source Address Was spoofed
- Attack Description
- Attack Mechanism
- Correlations
- Evidence of Active Targeting
- Severity
- Defense Recommendations
- Questions
Chapter 1 introduces the reader to Analysis of Logs (including Snort, Tcpdump, and Syslog), IDS, and Firewalls. Even being a quick review, it is quite useful, though.
Chapter 2 explains the way the cases are studied.
The covered vulnerabilities and attacks include:
- Internet Security Threats
- Routers and Firewalls Attacks
- IP Spoofing
- Networks Mapping and Scanning
- Denial of Service
- Trojans
- Assorted Exploits
- Buffer Overflows
- IP Fragmentation
- False Positives
- Crafted Packets
At the bottom line, this is one of the 5 best computer security books I ever read. Even for non experts, the book can be a valuable tool to improve the understanding on this field.
Try it.
Was this review helpful to you?
5.0 out of 5 stars You want experience? Feb. 6 2001
By a a
Format:Paperback
The real-world signatures in this book, along with the analysis, make this a wonderful reference book. There is, of course, no substitute for experience. However, this book provides an excellent baseline of experience for any Intrusion Analyst! From that baseline one should be able to better analyze future attacks; there is, after all, only so much an attacker can do.
This book was made possible by contributors to GIAC (Global Incident Analysis Center); professionals out "in the trenches" dealing with attacks of all shape and size on a daily basis. These traces were not generated in a lab; they're the same traces you will see on your network if you're looking for them.
I've already used this book as a reference guide and it sits on my shelf next to "TCP/IP Illustrated V1" by Dr. Richard Stevens and "Intrusion Detection: An Analysts Handbook V2" by Stephen Northcutt and Judy Novak- I use all on a regular basis.
Whether you are just starting out in the IDS realm or whether you're an established Analyst sitting on an enterprise of sensors this book is for you.
-- Brent Deterding Enterprise Manager of Network Security - Solutia Inc.
Was this review helpful to you?
Format:Paperback
Disclaimer: I withdrew a chapter from this book, and my words appear on p. 25. "Intrusion Signatures" tries to share the collective wisdom of SANS GIAC certification candidates, tempered by more experienced SANS editors. I applaud their intentions, but the uneven analysis and commentary warrants faint praise. New analysts flying solo should not read this book. Analysts with a guru to consult should get his or her input before trusting the book's interpretations.
Examples: (1) Eric Hacker expertly discusses a Windows password problem on pp. 77-85, but a significant trace is missing on p. 81. This causes the following dozen traces to not match their respective explanations. Would a new analyst notice? (2) Several times (p. 87, etc.) the authors fail to realize "public" is a common default SNMP "read" community string, while "private" is the "read/write" counterpart. This mistake is crucial elsewhere in the book. (3) The editors call a clear example of round-trip-time determination a "half-open DNS scan." It's ok for certification students to make judgement errors, but SANS editors should explain why that view isn't correct. (4) A very questionable "SYN flood" trace in ch. 10 doesn't match the "reproduction" of the same trace in the question-and-answer appendix -- that one's missing a crucial packet! (5) A "spoofed FTP request" in ch.11 looks like an active FTP data attempt to me. That concept is explained on p. 329, but the authors don't apply the same reasoning to ch.11's example. Why?
On the positive side, I was impressed by Mark Cooper's work on buffer overflows and ICMP redirects.
Read more ›
Was this review helpful to you?
Format:Paperback
A must-have for the serious network security professional, Intrusion Signatures And Analysis opens with an introduction into the format of some of the more common sensors and then begins a tutorial into the unique format of the signatures and analyses used in the book. Readers will find page after page of signatures, in order by categories as well as a case study section on how attacks have shut down the networks and web sites of Yahoo, and E-bay and what those attacks looked like. As an added feature, the collaborative authors Stephen Northcutt; Mark Cooper; Matt Fearnow; and Karen Frederick included review questions with throughout the book to help readers be sure they comprehend the traces and material that has been covered. Intrusion Signatures And Analysis is a recommended resource for the SANS Institute GIAC certification program. 448 pp.
Was this review helpful to you?
Want to see more reviews on this item?

Look for similar items by category


Feedback